Method for preserving consistency between worm file attributes and information in management servers
The present invention provides methods to preserve consistency between WORM file attributes in WORM volumes in file server systems. When a user commits a file in a WORM volume to WORM state, some file attributes can be changed before or after committing the file to WORM state so that anyone or predetermined users can read the file. In addition, access to committed WORM files can be selectively permitted.
Latest Hitachi, Ltd. Patents:
The invention is related generally to file servers and in particular to file servers having Write-Once-Read-Many (WORM) data storage.
Presently, many companies are using WORM data storage to meet regulatory compliance or to protect their critical data from accidental or intentional alteration or deletion. Widely used WORM implementations are based on media technology such as tapes, optical platters, etc. However, these media have physical limitations in maximum storage size, which are not enough to keep the data handled in conventional fault-tolerant (e.g. RAID-based) disk storage. For example, a line of software products by Network Appliance, Inc. called SnapLock Compliance provide WORM-like data permanence using magnetic disk drives in a available RAID configuration.
U.S. Application No. 2004/0186858A1 by McGovern et al., incorporated herein by reference, describes a solution to address these limitations. They disclose a technique to employ conventional fault-tolerant disk storage as a platform for a WORM storage system. Their system is organized around WORM storage volumes that contain files that, when committed to WORM storage, cannot be deleted or modified. Any attempt to modify the file attributes, write to the file, or delete the file, by clients, administrators or other entities is rejected.
However, file attributes typically include information that is managed in external servers. Consequently, the consistency between the file attributes and the information in external servers will be lost if the information in external servers is deleted or modified. For example, the file attributes contains the ID number of the user owning the file. In a system where the mapping between the ID number and the user is usually managed in external authentication server, the file may be unable to be read by anybody when the mapping between the ID number and the user is deleted or modified on the authentication server. This presents a potential problem if file access is later desired.
SUMMARY OF THE INVENTIONThe present invention provides methods to preserve consistency between WORM file attributes in WORM volumes in file server systems. In accordance with one aspect of the present invention, when a user commits a file in a WORM volume to WORM state, some file attributes are changed before committing the file to WORM state so that anyone or predetermined users can read the file. In accordance with another aspect of the present invention, when a user tries to read a WORM file in a WORM volume, or when a user tries to change the ownership of a WORM file, the action is allowed if the user has the special authority for WORM files. In accordance with yet another aspect of the present invention, when a user tries to change file attributes of a WORM file, the action is allowed only if the attributes the user is trying to change are access permissions for “READ” and “EXECUTE”. In accordance with still another aspect of the present invention, when a user commits a file in WORM volume to WORM state, the OWNER ID and the GROUP ID in the attributes of the file is communicated to one or external authentication servers, thus preserving the mapping for the user ID and the group ID. In still yet another aspect of the present invention, when a user tries to read a WORM file, the user (original user) is mapped to another user (mapped user). Access is permitted if the mapped user has the authority to read even if the original user does not have authority.
BRIEF DESCRIPTION OF THE DRAWINGSAspects, advantages and novel features of the present invention will become apparent from the following description of the invention presented in conjunction with the accompanying drawings, wherein:
Storage System 101 comprises Disk Controller 1010, Cache Memory 1011, and Disk Drives 1012. Disk Controller 1010 organizes one or more groups of Redundant Array of Inexpensive Disks (RAID), which are called “physical volumes” here.
NAS Clients 11 issue file operation requests via LAN 13.
Authentication Server 12 manages user information so that the information can be shared across the clients and can be easily managed. The user information on the Authentication Server 12 contains username, password, corresponding user ID, group ID of the group that the user belongs to, etc. If Authentication Server 12 receives an authentication request from a NAS Client 11, it checks if the usemame and the password sent from the NAS Client 11 matches the record on it. If they matched, it sends back the user ID and group ID to the NAS Client 11.
The conventional notion of “committing” a file to the WORM state is described, for example, in U.S. Application No. 2004/0186858. A file that is committed to the WORM state possesses a characteristic of a WORM file, namely, that the file cannot be written but only read even though it is stored in a conventional read/writable storage system. Commitment of a file to the WORM state is typically achieved by clearing the write bits (or write attributes) of the file. Other mechanisms for indicating that the file is read-only are possible.
Local File System 1005 divides the rest of the volume into Block Groups 310. Each Block Group 310 contains Super Block 3100, Block Group Descriptor 3101, Data Block Bitmap 3102, inode Bitmap 3103, inode Tables 3104, and Data Blocks 3105.
Super Block 3100 is used to store the location information of Block Groups 310. Every Block Group 310 has the same copy of Super Block 3100. Block Group Descriptor 3101 stores the management information of the Block Group 310. Data Block Bitmap 3102 shows which Data Blocks 3105 are in use. In a similar manner, inode Bitmap 3103 shows which Inodes 31040 in inode Table 3104 are in use.
inode Number 400: The unique number for the inode.
File Type 410: What the inode is used for (file, directory, etc).
File Size 420: The size of the file.
Access permission 430: Bit string expressing access permissions for user (owner), group, other.
User ID 440: ID number of the user owning the file.
Group ID 450: ID number of the group that the user (owner) belongs to. One or more users can be associated with the group.
Create Time 460: The time when the file is created.
Last Modify Time 470: The time when the file is modified.
Last Access Time 480: The time when the file is last accessed.
Block Pointer 490: Pointer to the data blocks where actual data is stored.
Volume Manager 1006 creates and manages two kinds of volume: normal volumes and WORM volumes. Files in the normal volumes are treated as conventional files in conventional file system, which means any files in the normal volumes can be deleted or modified by users who have appropriate authority. But as discussed above, files in the WORM volumes that are committed to the WORM state cannot be deleted or modified by anybody. Here, we refer to such files as “WORM files”. Committing a file to WORM state is accomplished by removing all WRITE permissions for the file (changing the file state to read-only).
Normal volumes and WORM volumes can be distinguished by, for example, placing a WORM flag in empty space in Boot Sector 300 in each volumes. By this means, NAS System 10 can easily examine if a file is in WORM state or not by checking the WORM flag in Boot Sector 300 and the access permissions 430 in inode of each file.
After the user logs in the NAS Client 11, when the user tries to access a file on the NAS System 10, the NAS Client 11 first sends an OPEN request for the file to the NAS System 10 (Step h10).
Returning to
In CIFS protocol, OPEN request is issued using commands like SMB_COM_OPEN or SMB_COM_OPEN_AND_X, and CLOSE request using SMB_COM_CLOSE or SMB_COM_CLOSE_AND_TREE_DISC. In NFS protocol, it depends on its version what kind of commands are used to get file IDs. In NFS version 4 (NFSv4), there are OPEN and CLOSE commands. But in NFS version 2 and 3 (NFSv2 and v3), there aren't commands for OPEN and CLOSE requests. Thus, the flow diagram will be slightly different from
For the purpose of reference, in NFSv2 and v3, NAS Clients 11 use LOOKUP command to get a file ID. Then, the NAS Clients 11 also get file attributes (some information in inode 31040) in response to the LOOKUP command from the NAS System 10. The NAS Clients 11 (instead of NAS System 10) checks if a user has a right authority to open a file in reference to the file attributes. And even when all the operations are done, NAS clients 11 don't send CLOSE request.
In conventional NAS Systems, only the super user “root”, whose user ID is 0, and the owner of the file, whose user ID is the same as that in the inode of the file, are allowed to change access permissions 430. In NAS Systems having a feature of WORM data storage, the same rules are applied for files which are in normal volumes, and files which are in WORM volumes but not committed to WORM state yet. But for the WORM files (the files committed to WORM state), nobody is allowed to change access permissions 430. Committing a file to WORM state is accomplished by removing all the WRITE permissions for the file.
In conventional NAS Systems, only the super user “root” is allowed to change ownership of files. Changing ownership of a file is to change the user ID in the inode of the file. In NAS Systems having a feature of WORM data storage, anybody (even “root”) cannot change ownership of WORM files.
In accordance with a first embodiment of the present invention, some of the inode information is changed when a file is committed to WORM state so that the file can be read by anybody or by predetermined user or users. Thus in accordance with this embodiment of the present invention, a novel process of “committing” a file to the WORM state is disclosed which differs from the conventional notion of “committing” a file to the WORM state.
Change READ permission for “other” users to 1 (allow) so that the file can be read by anybody irrespective of the mapping information on authentication server 12.
Change READ permission for “group” to 1 (allow) so that the file can be read by the users in the same group even if the mapping information for the current owner is deleted or modified on the authentication server 12.
Change READ permission for “owner” to 1 (allow) and user ID to predetermined user ID so that the user IDs that must not be deleted or modified on the authentication server 12 can be narrowed down.
If in step 940 it is determined that the file is not being committed to the WORM state, then the access permission is changed to the new access permission, in a step 960.
Two or more of above can be applied at the same time. Predetermined user IDs can be stored, for example, in empty space of Boot Sector 300 of WORM volumes. After step 950 is performed, then removal of the write permission is effected by performing step 960.
In accordance with a second embodiment of the present invention, a “special” user is created for WORM files who can read or change ownership under any circumstances. The information about the “special” user (e.g., the user ID of the special user) can be stored, for example, in Boot Sector 300 of each WORM volume. This can be performed by the administrator of the NAS System 10. It is also possible to define a “special” group ID so that any user whose group ID is in that “special” group can read or change ownership of files committed to the WORM state.
Returning to the decision step a10, if the file has been committed to the WORM state, then a check is made in a step a20 whether the user ID or the group ID is a predetermined ID, or belongs to a list of predetermined IDs. These predetermined IDs represent special user(s) or special group(s) who can change characteristics of a file that is committed to the WORM state, such as access permissions and ownership. If the user or group ID is not a predetermined user or group ID, then the request is rejected in step a50. Otherwise the request is performed in step a40.
If the user does not have the right authority, a check is made if the file is in WORM state (step b30). If the file is in WORM state, a check is made whether the user ID corresponds to the special user (or belongs to a group) for WORM files (step b40); otherwise the request is rejected. If the user ID corresponds to a special user (or belongs to a special group) for WORM files, Local File System 1005 allows the operation and returns the file ID in a step b50. Thus, the special user for WORM files can read WORM files under any circumstances.
It is noted that the flows shown in
In accordance with a third embodiment of the present invention, the owner can be permitted to change READ and EXECUTE permission for WORM files so that the access permissions can be changed by the owner in case the mapping information on the authentication server is deleted or modified. Here, changing WRITE permission for WORM files must not be permitted, as doing so would be contrary to the basic characteristics of WORM-committed files.
In accordance with a fourth embodiment of the present invention, notification of user IDs of owners of WORM files is sent to authentication server when files are committed to WORM state. The authentication server can then lock the mapping information for the user IDs to prevent it from subsequent modification or deletion.
In accordance with a fifth embodiment of the present invention, there is mapping information of user IDs and group IDs in NAS System 10. The mapping information of user IDs and group IDs is registered by the administrator of NAS System 10. Thus, even when the mapping information for a user ID of a user on the authentication server 12 is modified, and the user gets another user ID, Local File System 1005 can realize the user is the same by checking the mapping information in NAS System 10. And even when it's deleted, Local File System 1005 can realize the files that the user owns are relegated to another user by checking the information.
If the user does not have the right authority, a check is made if the file is in WORM state (step g30). If the file is in WORM state, a check is made in a step g40 whether the user can be mapped to either a mapped user or to mapped group; otherwise the request is rejected at step g70. If the user can be mapped, then a check is made in a step g50 whether the mapped user has read authority; otherwise the request is rejected. If the mapped user has the authority to read, the Local File System 1005 allows the operation (step g60).
The mapping of a user involves the table of
Claims
1. In a storage system having a operating a WORM (write-once, read many) storage component, a method for operating the storage system comprising:
- receiving a commit request to commit a file to a WORM state, the file being associated with an owner of the file, the file further being associated with a write attribute that specifies whether write operations can be performed on the file, the file further being associated with a read attribute that specifies whether read operations can be performed on the file;
- in response to receiving the commit request, changing the write attribute of the file in a manner that no subsequent write operations can be performed on the file; and
- further in response to receiving the commit request, performing one of: changing the read attribute of the file in a predetermined manner that only predetermined users can subsequently access the file for reading; or transmitting a notification to a computer system separate from the storage system, the notification including information indicative of the owner of the file.
2. The method of claim 1 wherein the read attribute is changed in a manner to permit subsequent read access by any user.
3. The method of claim 1 wherein the file is further associated with a group identifier, the group identifier being associated with one or more users, wherein the read attribute is changed in a manner to permit subsequent read access by any user associated with the group identifier.
4. The method of claim 1 further including changing the owner of the file to a second owner, wherein the read attribute is changed in a manner to permit subsequent read access only for the second owner.
5. The method of claim 1 wherein the file is further associated with a group identifier, the group identifier being associated with one or more users, wherein the read attribute include a first read access attribute for the owner, a second read access attribute for the group, and a third read access attribute for users other than the owner and the users associated with the group identifier.
6. The method of claim 1 wherein the computer system is an authentication server.
7. A storage system comprising a plurality of physical disk drives, one or more first disk drives from among the plurality of physical disk drives being configured to store a plurality of files, one of more second disk drives from among the plurality of physical disk drives being configured to store a plurality of WORM-committed files, the storage system operative to perform the method recited in claim 1.
8. A method for a storage system comprising a WORM storage component, the method comprising:
- receiving commit requests to commit files to a WORM state thus creating a plurality of WORM-committed files, the WORM-committed files each being associated with a user ID and a group ID, the user ID indicative of a file owner, the group ID indicative of a group to which the file owner belongs, the WORM-committed files each further being associated with read access attributes;
- receiving an attribute request to change an attribute of a first WORM-committed file, the attribute request being associated with a first user, the first user being associated with a group; and
- if the first user belongs to a list of predetermined users, or if the first user is associated with a group that belongs to a list of predetermined groups, then changing the attribute of the first WORM-committed file according to the attribute request,
- wherein if the first user does not belong to the list of predetermined users and if the first user does not belong to one of the predetermined groups, then the attribute request is not serviced.
9. The method of claim 8 wherein the attribute request is a request to change ownership of the first WORM-committed file.
10. A storage system comprising a plurality of physical disk drives, one or more first disk drives from among the plurality of physical disk drives being configured to store a plurality of files, one of more second disk drives from among the plurality of physical disk drives being configured to store a plurality of WORM-committed files, the storage system operative to perform the method recited in claim 8.
11. The storage system of claim 10 configured as a NAS (network attached storage) system.
12. A method for a storage system comprising a WORM storage component, the method comprising:
- receiving commit requests to commit files to a WORM state thus creating a plurality of WORM-committed files, the WORM-committed files each being associated with a user ID and a group ID, the user ID indicative of a file owner, the group ID indicative of a group to which the file owner belongs, the WORM-committed files each further being associated with read access attributes;
- receiving an attribute request to change an attribute of a first WORM-committed file, the attribute request being associated with a first user, the first user being associated with a group; and
- changing the attribute of the first WORM-committed file according to the attribute request,
- wherein the attribute request is a request to change either a read access permission of the first WORM-committed file or an execute access permission of the first WORM-committed file.
13. A storage system comprising a plurality of physical disk drives, one or more first disk drives from among the plurality of physical disk drives being configured to store a plurality of files, one of more second disk drives from among the plurality of physical disk drives being configured to store a plurality of WORM-committed files, the storage system operative to perform the method recited in claim 12.
14. The storage system of claim 13 configured as a NAS (network attached storage) system.
15. A method for a data storage system having a WORM storage component comprising:
- storing a plurality of WORM-committed files, each having associated therewith a user ID;
- receiving a read request to read a first WORM-committed file, the read request having associated therewith a user ID; and
- if the user ID that is associated with the read request belongs to a predetermined ID, or if the user identified by the user ID that is associated with the read request belongs to a predetermined group, then servicing the read request.
16. The method of claim 15 wherein servicing the read request includes transmitting a file identifier that identifies the first WORM-committed file.
17. The method of claim 15 further comprising consulting a user ID mapping table comprising a plurality of user IDs, wherein if the user ID that is associated with the read request is in the user ID mapping table, then servicing the read request.
18. The method of claim 15 further comprising consulting a group ID mapping table comprising a plurality of group IDs, wherein the user identified by the user ID that is associated with the read request is associated with a group ID, wherein if the user's group ID is in the group ID mapping table, then servicing the read request.
19. A storage system comprising a plurality of physical disk drives, one or more first disk drives from among the plurality of physical disk drives being configured to store a plurality of files, one of more second disk drives from among the plurality of physical disk drives being configured to store a plurality of WORM-committed files, the storage system operative to perform the method recited in claim 15.
20. The storage system of claim 19 configured as a NAS (network attached storage) system.
Type: Application
Filed: Mar 14, 2005
Publication Date: Sep 14, 2006
Applicant: Hitachi, Ltd. (Tokyo)
Inventor: Junichi Hara (Cupertino, CA)
Application Number: 11/080,065
International Classification: G06F 17/30 (20060101);